This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 28.000000000000004%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVC%3C/text%3E%3C/svg%3E)
I have a SP2016 site collection
The Farm is composed as follows:
Domain server = DomainSPxxx
Frontend server = FrontendSP
Database server = DatabaseSP
The site collection has two extensions:
When a domain account authenticates with Windows Auth the username displayed is: userx@DomainSPxxx.com when it is connected with ldap it will be like '0#.f|ldapmember:userx|userx@DomainSPxxx.com'
On the extension default only the administrative accounts are used.
This extension is used exclusively for service / maintenance activities. For example, the document search crawl is performed on it.
Problem.
I have developed a workflow that performs operations on SP lists.
Given that :
The workflow manager is configured correctly
The user profile is configured correctly
That the two services are active.
The Worflow app for the site is active and correctly configured throw appinv.asxp page
StsApplication Pool Load profile is true
Worflow can use app feature is active
Explain problem
In practice, when the workflow from the https internet extension is launched, for each operation performed (for example reading records) and as if the system requires the presence of the domain user for the document library.
Example:
user '0 # .f | ldapmember: userx | userx@DomainSPxxx.com' collaborator on list 'TestList'
If the workflow performs a read operation on document library 'TestList' with user '0#.f|ldapmember:userx|userx@DomainSPxxx.com', this fails indicating resource access problems. I checked the SP log.
Below is an except:
CAML query: <View Scope = "RecursiveAll"> <Query> <Where> <Eq> <FieldRef Name = "ID" /> <Value Type = "Counter"> 8 </Value> </Eq> </Where>
</Query> <ViewFields> <FieldRef Name = "ContentTypeId" /> <FieldRef Name = "Title" /> <FieldRef Name = "ID" />
<FieldRef Name = "Created" /> <FieldRef Name = "Author" LookupId = "TRUE" /> <FieldRef Name = "Modified" />
<FieldRef Name = "Editor" LookupId = "TRUE" />....
Exception occured in scope Microsoft.SharePoint.SPListItemEntityCollection.GetById. Exception = System.ArgumentException: Element does not exist.
It may have been deleted by another user.
Actually the element exists I tried to launch the query from url with user '0#.f|ldapmember:userx|userx@DomainSPxxx.com' connected and the data is returned
It is as if the calls made from the workflow claim access only through domain accounts authenticated with Windows auth.
In the case of the above example it is not enough to give the right permissions on the collection for the account '0#.f|ldapmember:userx|userx@DomainSPxxx.com',
but to make the calls work you must give the same permissions for the account userx@DomainSPxxx.com.
Below is an extract from the log with some records that make me suspicious:
This is what I noticed:
Medium Name=Request (GET:https://testsite.domainspxxx.com/_api/web/lists(guid'4255a977-6694-4080-b065-0c685b28538b')/Items(8))
High Reached maximum number of failed machines based on ping results for this routing group
Unexpected User-Agent is empty
High Did not find token claim in token. ClaimType: 'scope'.
High Did not find token claim in token. ClaimType: 'scp'.
High Did not find token claim in token. ClaimType: 'clientappid'.
High Did not find token claim in token. ClaimType: 'appid'.
High Did not find token claim in token. ClaimType: 'roles'.
High Token is for a windows account.
Medium Couldn't find a user using property 'WorkEmail' of value 'userx@DomainSPxxx.it'
High GetUserProfile_RetrieveUser_Cache ExpectedFailure: Microsoft.Office.Server.UserProfiles.UserNotFoundException:
An error was encountered while retrieving the user profile. at Microsoft.Office.Server.UserProfiles.UserProfileCache.GetUserData
(UserProfileManager objManager, Nullable1 recordId, Guid gAcct, String strAcct, Byte[] bSid, String strEmail, Boolean doNotResolveToMasterAccount) at Microsoft.Office.Server.UserProfiles.UserProfile.RetrieveUser(String strAcct, Guid gAcct, Byte[] bSid, Nullable1 recordId, Boolean doNotResolveToMasterAccount, Boolean loadFullProfile, Boolean loadColleagueRecordIds, String strEmail)
Medium Leaving Monitored Scope: (UserProfile.RetrieveUserFromCache) Execution Time=8.87822334961566; CPU Milliseconds=3; SQL Query Count=1;
Parent=Executing the user mapping operation in GetMappedIdentityClaim()
Medium Couldn't find a user using property 'SID' of value 'System.Byte[]'
Unexpected SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: InputIdentity doesn't conatin a PrimarySid claim.
Thanks
I am trying to reproduce this issue on my end and I'll get back to you if there is any update. Much appreciated for your patience and time.
hello, did you find something?
Hi @Vincenzo Contiello ,
I couldn't reproduce this issue on my end and I'm afraid it's hard to go on further troubleshooting. Suggest you to open a ticket with Microsoft, more experienced expert will give you instant assistance. Thanks for your understanding.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.